Vulnerable system drivers continue to be a vector exploited by attackers to compromise systems. In eG Enterprise version 7.5 we added a number of periodic security checks to assist administrators proactively identify weaknesses, including vulnerable system drivers monitoring.This new capability is supported for a Windows OS, when using a VM agent for inside view monitoring and / or when monitoring an Azure Virtual Desktop session host. The same eG agent that is used for performance monitoring also performs certain security checks at periodic intervals.

Understanding Windows System Drivers Vulnerabilities – Some Recent Attacks

Windows system driver vulnerabilities are particularly dangerous because drivers operate at the kernel level, with the highest system privileges. Exploiting these flaws allows attackers to bypass user-mode security, disable antivirus software, and gain deep, persistent access to the operating system.

Unlike user applications, drivers can manipulate memory directly, making detection and remediation more complex. Additionally, many drivers are signed and trusted by Windows, allowing them to run without raising security flags. This trust is often abused in Bring Your Own Vulnerable Driver (BYOVD) attacks, where outdated or flawed drivers become the gateway for full system compromise and stealthy malware deployment.

What is Bring Your Own Vulnerable Driver (BYOVD)?

Bring Your Own Vulnerable Driver (BYOVD) is a cyberattack technique whereby an attacker:

  • Deliberately installs a legitimate, but known-vulnerable kernel driver (often signed and trusted by Windows),
  • Then exploits its weaknesses to execute malicious code with kernel or SYSTEM-level privileges.

Why It Works:

  • Many vulnerable drivers are digitally signed, so Windows permits them—even if they have flaws.
  • Once loaded, these drivers give can attackers deep access to the OS kernel, bypassing user-mode defenses, security tools, or even EDRs.

An insightful way to gain knowledge about the attack vectors and threats around system drivers and their vulnerability is to read the postmortem-like reviews widely available from recent incidents. Here are three typical examples.

Example 1. CVE 2024 38193 (AFD.sys) – Lazarus Group Rootkit

A North Korean threat actor exploited an unknown (zero-day) in the Windows Ancillary Function Driver (AFD.sys) allowing kernel level privilege escalation. They deployed a stealthy rootkit (“FudModule”), achieving SYSTEM access and disabling security tools via a fileless attack using in built drivers. Read the details: Cybersecurity Threat Advisory: Exploited Microsoft zero-day flaw | Barracuda Networks Blog.

The attack was particularly dangerous because the AFD.sys driver is a core component of Windows. Its exploitation did not require the introduction of additional drivers and went beyond a typical BYOVD approach.

Example 2. ZoneAlarm Driver (vsdatant.sys) – BYOVD Exploit

Attackers abused vulnerabilities in the CheckPoint ZoneAlarm kernel driver (vsdatant.sys) to bypass Windows Memory Integrity protections, escalate privileges, disable endpoint security, and exfiltrate credentials. The driver was signed, trusted, and thus remained undetected. Read the details: Cybercriminals Exploit Checkpoint’s Driver in a BYOVD Attack! – Venak Security.

Example 3. Paragon Driver (BioNTdrv.sys) – Ransomware Escalation

Ransomware actors exploited multiple vulnerabilities in the Microsoft signed Paragon Partition Manager driver (BioNTdrv.sys), including CVE 2025 0289, to escalate privileges and execute kernel level commands. Patching and Microsoft blocklisting were advised to prevent ongoing attacks and Paragon have addressed the issue in newer versions of the drivers. See this review from March 2025 for further details: Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks.

How You Can Protect Yourself from System Drivers Vulnerabilities on Windows OSs

One of the most important steps you can take is to follow the Microsoft recommended driver block rules – see Microsoft recommended driver block rules | Microsoft Learn.

How eG Enterprise Monitors System Driver Vulnerabilities on Windows OSs

eG Enterprise retrieves a list of vulnerable and then compares the drivers available locally with the vulnerable list. The vulnerable drivers list is periodically retrieved by the eG manager and then distributed to the agents. This requires the eG manager to have Internet access and to be able to access the reference list.

Out-of-the-box eG Enterprise v7.5 provides proactive alerts if a driver vulnerability is identified.

Image showing eG Enterprise raising an alert because vulnerable system drivers have been detected on a Windows OS, detailed diagnostics of the drivers are also shown including the system drivrs found and their file paths

This capability is supported for a Windows OS, when using a VM agent for inside view monitoring and when monitoring an Azure Virtual Desktop (AVD) session host.

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

About the Author

Babu is Head of Product Engineering at eG Innovations, having joined the company back in 2001 as one of our first software developers following undergraduate and masters degrees in Computer Science, he knows the product inside and out. Based within our Singapore R&D Management team, Babu has undertaken various roles in engineering and product management becoming a certified PMP along the way.